Topics

Featured in Development

Peter Alvaro talks about the reasons one should engage in language design and why many of us would (or should) do something so perverse as to design a language that no one will ever use. He shares some of the extreme and sometimes obnoxious opinions that guided his design process.

Featured in AI, ML & Data Engineering

Today on The InfoQ Podcast, Wes talks with Katharine Jarmul about privacy and fairness in machine learning algorithms. Jarul discusses what’s meant by Ethical Machine Learning and some things to consider when working towards achieving fairness. Jarmul is the co-founder at KIProtect a machine learning security and privacy firm based in Germany and is one of the three keynote speakers at QCon.ai.

Featured in Culture & Methods

Organizations struggle to scale their agility. While every organization is different, common patterns explain the major challenges that most organizations face: organizational design, trying to copy others, “one-size-fits-all” scaling, scaling in siloes, and neglecting engineering practices. This article explains why, what to do about it, and how the three leading scaling frameworks compare.

Making Security More Intelligent, Microsoft Releases Azure Sentinel

In a recent blog post, Microsoft announced further investments to its intelligent security offerings in the form of a Security Information and Event Management (SIEM) product called Azure Sentinel. SEIMs are used by security professionals as a data store that is capable of aggregating security events from logs across a variety of systems, including servers, firewalls, routers, switches and end-user computing devices. Azure Sentinel is a platform service that includes artificial intelligence and machine learning to reduce the burden of traditional SIEMs by eliminating the need to maintain infrastructure and reducing alert fatigue by providing prescriptive guidance on emerging threats.

SecOps teams are inundated with a very high volume of alerts and spend far too much time on tasks like infrastructure setup and maintenance. As a result, many legitimate threats go unnoticed. An expected, shortfall of 3.5M security professionals by 2021 will further increase the challenges for security operations teams. You need a solution that empowers your existing SecOps team to see the threats clearer and eliminate the distractions.

Microsoft is able to analyze signals from a variety of locations and can scale to address the needs of enterprise customers. Koby Koren, senior product manager at Microsoft, explains how this is possible:

Azure Sentinel works by correlating the security logs and signals from all sources across your apps, services, infrastructure, networks, and users, whether they reside on-premises in Azure or any other cloud. Our built-in AI leverages Microsoft threat intelligence that analyzes trillions of signals every day. And our machine learning models refined through decades of security experience filter through the noise from alerts, drilling into it analyzing thousands of anomalous events, to return a view of threats that really require your attention.

For several years, companies have been exporting their cloud data from Office 365 and Azure and ingest it into their on-premises SIEM tools. However, this approach has created operational challenges for these organizations. Maarten Goet, a Microsoft regional director, explains:

In the past years, enterprises would hook up the alerts that Microsoft security solutions were generating and forward them back to their on-premise SIEM solution as part of their cloud security strategy. But they are struggling to keep pace with the increasing volume and variety of data they process. Unhappy users complained about the inability of their SIEMs to scale and the volume of alerts they must investigate. Azure Sentinel is a central place to analyze your security data, across all parts of your environment. Cloud security solutions like Azure Sentinel are set to disrupt the Security Operations Center (SOC).

Microsoft wants to reduce the amount of noise that security analysts face while improving the accuracy of alerts. To address these requirements, Azure Sentinel uses AI to triage alerts and perform correlation across many different products and services. Levi explains why they have deeply invested in AI and ML technologies:

Azure Sentinel uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity anomalies to present a few high fidelity security incidents to the analyst. ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you. For example, you can quickly see a compromised account that was used to deploy ransomware in a cloud application. This helps reduce noise drastically, in fact we have seen an overall reduction of up to 90 percent in alert fatigue during evaluations.

Once threats have been detected, security analysts can use the case management features of Azure Sentinel to review, triage and prioritize incidents across a SOC team. Playbooks can be established and maintained based upon Jupyter notebooks so that teams can maintain consistent and automated processes to address cyber threats.

Additional automation opportunities exist, through the use of Azure Logic Apps, a cloud-based workflow platform, which includes an out-of-box connector that allows developers to listen for Azure Sentinel events. Azure Logic Apps can then orchestrate a business process which can include creating incidents in ServiceNow, communicating with team members over Microsoft Teams and performing proactive security measures such as disabling users in Azure AD or blocking firewall IP addresses.